snakekeylogger | 0ef0022fbc09c3770f6ef6268806a7baa2fbd1141cf43144196f9313cf6e2663

General

Target

CAMSCANNER_XEROX111023.scr.exe
Size

168KB
MD5

c04d39e4d40a1ea077e10d2d2b78d25d
SHA1

ce37dc7a55e6eb78a7310074136d7b87c44c85eb
SHA256

0ef0022fbc09c3770f6ef6268806a7baa2fbd1141cf43144196f9313cf6e2663
SHA512

eb41864e2763c1338b39b2617350b0d288a5cd6572a50be84b2b86515a0bc4674518c7fb7b8a0b8412328aea88d6942c3d975951d71c3062f33c46b78029ddea
SSDEEP

1536:Apka7KXz5hwQLrR27irlIPOTaAqglHPUstodIKdoUy:ApH7anbXR27iKj9gvmBy

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\day1.exe	family_snakekeylogger
behavioral2/memory/3980-19-0x00000000001E0000-0x00000000001FC000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CAMSCANNER_XEROX111023.scr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	CAMSCANNER_XEROX111023.scr.exe

Executes dropped EXE 1 IoCs

Processes:

day1.exe

pid process

3980 day1.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 checkip.dyndns.org

pid	process
3980	day1.exe

flow	ioc
69	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

CAMSCANNER_XEROX111023.scr.exeCAMSCANNER_XEROX111023.scr.exewhere.exe

description	pid	process	target process
PID 4428 set thread context of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 1944 set thread context of 3184	1944	CAMSCANNER_XEROX111023.scr.exe	Explorer.EXE
PID 1944 set thread context of 2708	1944	CAMSCANNER_XEROX111023.scr.exe	where.exe
PID 2708 set thread context of 3184	2708	where.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

where.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	where.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

CAMSCANNER_XEROX111023.scr.exeday1.exeCAMSCANNER_XEROX111023.scr.exewhere.exe

pid	process
4428	CAMSCANNER_XEROX111023.scr.exe
4428	CAMSCANNER_XEROX111023.scr.exe
3980	day1.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
1944	CAMSCANNER_XEROX111023.scr.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe
2708	where.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

CAMSCANNER_XEROX111023.scr.exeExplorer.EXEwhere.exe

pid process

1944 CAMSCANNER_XEROX111023.scr.exe
3184 Explorer.EXE
3184 Explorer.EXE
2708 where.exe
2708 where.exe
2708 where.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CAMSCANNER_XEROX111023.scr.exeday1.exe

description pid process

Token: SeDebugPrivilege 4428 CAMSCANNER_XEROX111023.scr.exe
Token: SeDebugPrivilege 3980 day1.exe

pid	process
1944	CAMSCANNER_XEROX111023.scr.exe
3184	Explorer.EXE
3184	Explorer.EXE
2708	where.exe
2708	where.exe
2708	where.exe

description	pid	process
Token: SeDebugPrivilege	4428	CAMSCANNER_XEROX111023.scr.exe
Token: SeDebugPrivilege	3980	day1.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

CAMSCANNER_XEROX111023.scr.exeExplorer.EXEwhere.exe

description	pid	process	target process
PID 4428 wrote to memory of 3980	4428	CAMSCANNER_XEROX111023.scr.exe	day1.exe
PID 4428 wrote to memory of 3980	4428	CAMSCANNER_XEROX111023.scr.exe	day1.exe
PID 4428 wrote to memory of 1144	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1144	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1144	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 4428 wrote to memory of 1944	4428	CAMSCANNER_XEROX111023.scr.exe	CAMSCANNER_XEROX111023.scr.exe
PID 3184 wrote to memory of 2708	3184	Explorer.EXE	where.exe
PID 3184 wrote to memory of 2708	3184	Explorer.EXE	where.exe
PID 3184 wrote to memory of 2708	3184	Explorer.EXE	where.exe
PID 2708 wrote to memory of 848	2708	where.exe	Firefox.exe
PID 2708 wrote to memory of 848	2708	where.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe
"C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\day1.exe
"C:\Users\Admin\AppData\Local\Temp\day1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe
C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe
3⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe
C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Windows\SysWOW64\where.exe
"C:\Windows\SysWOW64\where.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
C:\Users\Admin\AppData\Local\Temp\day1.exe

Filesize
96KB

MD5
71bb9ac16c38c3a80c5d3f804a28e4f7

SHA1
1451bcd7eba073e6ea9a18c87e0409fc325720a3

SHA256
dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c

SHA512
b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798

Download Submit
memory/1944-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-32-0x0000000001540000-0x0000000001561000-memory.dmp

Filesize
132KB

Download
memory/1944-37-0x0000000001540000-0x0000000001561000-memory.dmp

Filesize
132KB

Download
memory/1944-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-25-0x0000000001680000-0x00000000019CA000-memory.dmp

Filesize
3.3MB

Download
memory/1944-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2708-45-0x00000000028E0000-0x0000000002980000-memory.dmp

Filesize
640KB

Download
memory/2708-39-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

Filesize
232KB

Download
memory/2708-38-0x0000000002C40000-0x0000000002F8A000-memory.dmp

Filesize
3.3MB

Download
memory/2708-35-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

Filesize
232KB

Download
memory/2708-34-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

Filesize
232KB

Download
memory/2708-42-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

Filesize
232KB

Download
memory/2708-41-0x00000000028E0000-0x0000000002980000-memory.dmp

Filesize
640KB

Download
memory/3184-43-0x0000000008550000-0x0000000008623000-memory.dmp

Filesize
844KB

Download
memory/3184-46-0x0000000008550000-0x0000000008623000-memory.dmp

Filesize
844KB

Download
memory/3184-33-0x000000000D330000-0x000000000E52B000-memory.dmp

Filesize
18.0MB

Download
memory/3184-40-0x000000000D330000-0x000000000E52B000-memory.dmp

Filesize
18.0MB

Download
memory/3184-44-0x0000000008550000-0x0000000008623000-memory.dmp

Filesize
844KB

Download
memory/3980-21-0x00007FF89FBB0000-0x00007FF8A0671000-memory.dmp

Filesize
10.8MB

Download
memory/3980-26-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3980-27-0x00007FF89FBB0000-0x00007FF8A0671000-memory.dmp

Filesize
10.8MB

Download
memory/3980-29-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3980-19-0x00000000001E0000-0x00000000001FC000-memory.dmp

Filesize
112KB

Download
memory/4428-20-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/4428-0-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4428-3-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/4428-6-0x0000000006C50000-0x0000000006CC0000-memory.dmp

Filesize
448KB

Download
memory/4428-24-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4428-4-0x0000000006BD0000-0x0000000006C52000-memory.dmp

Filesize
520KB

Download
memory/4428-1-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/4428-2-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4428-7-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/4428-5-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads